AZ-204 Microsoft Azure Developer Associate – Implement Azure Security part 5
- AZ-203 – Lab – Conditional Access Policies
Hi and welcome back. Now, another way of enabling multifactor authentication for users is to use something known as conditional access policies. Now, in order to execute or to implement conditional access policies. So actually, if you go on to Azure Ad, there is a security place for conditional access. Now, for conditional access for you to have have the ability to create a new policy by default, there are already four baseline policies in place. But if you want to add a new policy, you have to make sure that you have the appropriate license in place. Now, by default, what happens that you normally might be using if you’re just learning Azure, the Azure Ad free account? Now, in order to use conditional access, you have to have the appropriate licensing. So, for example, you might need to have a Zero 80 Premium P Two licensing.
Now, what you can do is that you can actually use the Azio 80 Premium P Two licenses for free for a month. So currently I’ve already subscribed to it. But if you have not, you will actually get a placeholder over here where you can actually sign up to use the product free of cost for 30 days. So make sure you do that so that you can actually try out this feature. Don’t worry, after 30 days you will not be charged any money. It will just stop the trial product and you have to go ahead and actually buy the product in order to continue using it. Azero 80 premium P. Two features. Now, once you’ve subscribed for Azero Ad Premium P Two test licenses, the monthly licenses which are coming free, what you have to do is that you have to go on to your users, go on to your main root user, go on to licenses, and make sure that you assign the license.
Now, please note over here I have Enterprise mobility plus security. E five. So this is another product which comes free of cost, which again includes the ability to have conditional access policies. And this comes for a duration of 90 days, so you can do that as well. So over here, I’ve already assigned a license. But what you have to do is that you have to go ahead and make sure that you assign that license to that user. So since I’ve already gone ahead and done that, it’s in place, and then make sure that you log out and log in again, that’s what I normally do. And then you can go ahead and start using conditional access policies. So if I go on to conditional access, if I go ahead and add a new policy, there are different parts of the policy. So first is the users and groups.
So you could create this policy which could apply to all users or to select users and groups. You could also have an exclusion in place for users and groups as well. Then you have the cloud apps. So for the user group. Maybe you want to ensure that the policy which you are stating over here applies to all the cloud applications used by the users. Or maybe you want to ensure that users who use the Microsoft Azure Portal so that’s a Microsoft Azure management application, only that policy, only then will the policy be applied to them. So these are different conditions of the policy. So if the user is part of the users or groups that you mentioned over here, and if they’re using the Microsoft Azure management, that’s the Microsoft Azure Portal, then the policy will be applied to them in the conditions.
You can add different conditions. So on device platforms, if you want to specify a particular device platform, you can have locations, you can have something known as assigning risk. So all of these are the conditions that you can state as part of your policy. And then you have finally the access controls. So here is where you can say that grant access, but ensure to require multifactor authentication. So this is better when you want to apply multifactor authentication for a collection of users. So an example has so as an example, if you want to make sure that you apply this policy. So what you can do is you can select one of the users in your account. So make sure that you create a user in your Azure ad tenant. So make sure that you create a user in your Azure ad directory. Next for the cloud Apps and Actions, next, make sure you click on Done in the Cloud Apps or Actions, select an application so you can select the Microsoft Azure Portal.
So that’s the Microsoft Azure management app select that. So that’s fine because we are locking ourself out. We have already selected a specific user. I’ll click on Done on the conditions. So I won’t add any condition. I just want that user to ensure that every time the user logs in they are properties. For multifactor authentication you can go on to Access Control. I’ll say Grant Access and require multifactor authentication. If you want, you can have multiple controls that can be enforced. You can click on select, you can give a name for the policy, make sure it is enabled and then hit on Create, right? So now the policy is in place. Now whenever that user logs in again, they will be prompted for multifactor authentication. So this is another way in which you can enable multifactor authentication for users in Azure.
- AZ-203 – Azure Kubernetes – Integrating with Azure AD
Hi and welcome back. Now in the next chapter, we’re actually going to see how to implement Azure Ad authentication for an Azure Kubernetes cluster. But since the process is quite lengthy and there are a number of steps, let’s try to understand what exactly goes into implementing Azeo Ad authentication for a Kubernetes cluster. So, let’s say that you you want to get permissions for your users who are in Azure Ad for your Kubernetes cluster. In order to enable that integration between Azure Ad and Kubernetes, you have to follow the following steps. So, the first thing is to register two applications in Azure Ad. So, you have to register something known as a client application and a server application.
So, when the user sends commands onto Azure Kubernetes, so let’s say that the user is using the Kubectl command to get the number of pods in the cluster, they first have to authenticate using the client application. That client application will interact with the server application. That server application basically has the authority to read the directory data. So that’s how the flow works. So, in Azure Ad, we first have to create a client and a server application. The server application will have the permissions to basically read the directory data in Azio ad. So when the user authenticates using the client application, the client application will send that authentication data to the server application and the server application will perform it authentication via a zero ed.
Now, once you have the client and the server application, you have take the client application ID, the server application ID, a server application secret, and your tenant ID. Once you have all of this in place, you then go ahead and provision your Azure Kubernetes cluster. So remember, first you create your applications and then you create your cluster. Now, after you perform this activity, the next thing is to assign RBAC roles to the cluster for your users or your groups. So you could have users which are part of groups, and those groups could be given authorization to actually perform the commands on your cluster. Now, there are two basic roles that you can give. So the first role is basically a normal role, which are permissions to a particular namespace.
This is done via a role binding, and the next is a cluster role, which is done by a cluster role binding. This for permissions to all namespaces in your cluster. Now, these roles are applied by applying YAML files. And you’ll see all of this in our lab, right? So this is what goes into Azure Ad authentication for Azure capabilities. Now, before we actually move on, just a quick note. When you create a cluster, you also get something known as a service principle. So don’t confuse the service principle with RBAC or with your application or with Azure Ad. The service principle is basically used to authorize Azure Kubernetes to work with other resources such as the Azure Container Restory. So remember, that the cluster can pick images from the container history. And it’s doing that via the use of a service principle. Right. So this is from an introduction purpose. Let’s go on to the next chapter where we’ll see a lab on this.
- AZ-203 – Lab – Azure Kubernetes – Integration with Azure AD
Right, so here we are in Azure. So first things first, let’s go on to Azure ad. Let’s create our server application and our client applications as required to integrate Azure ad with Azure Kubernetes. So this needs to be done before you actually create a Kubernetes cluster. So let’s go on to app registrations. Let me go ahead and add a new registration. Let me give a name. I’ll make sure that it’s accounts in this organization directly only. We can just give any redirect Uri. Click on Register now, once this is done, let’s go on to manifest. We have to ensure that this server can actually go ahead and get the claims of the group. So users remember, can be part of groups and when they authenticate themselves onto the cluster, the application needs to be able to get that claims from the group. So let’s go ahead and modify this to all.
Let me go ahead and click on Save, right? So the next step is to go ahead and generate a client secret. So this is a secret for the application. So let’s term this as the application secret for the server. So let’s create a new client secret. We can give it a name. Click on Add now please make sure to take this value now itself. After you exit this page, you will not be able to see the value of the secret. So let me go ahead and actually store it in Notepad. So here I’m just storing the server application secret. We can also get the server application ID. So for that, you can actually go on to the overview. You can take this application client ID copy it. So let’s keep it over here. We can also get the directory or the tenant ID. So all of this is required when you create a Kubernetes cluster which requires to authenticate itself onto a zero ad.
So again, that you can get it from here, the directory or the tenant ID. Right now for this server application, we have to do another couple of things. So we have to go on to API permissions. So this already has permissions to go ahead and read the information for users from the Microsoft ad. We also have to make sure that it can read permissions for the directory as well. So let’s go on to add permission. Let’s choose Microsoft Graph. Let’s choose for delegate permissions. Let’s search for directory. Let’s go to directory. Read all. Click on Add permissions. Let’s add another permission again. Microsoft Graph. This time application permissions. Let’s go on to directory.
Let’s go again on to Directory. Read all add permissions. Now the permissions have been granted. Let’s just wait 10 seconds before granting admin consent. Right now I’m going to go ahead and grant admin consent. I’ll click on yes. So that’s also done. Let’s go ahead and expose an API. So let’s add a scope. We’ll accept the application. ID uri. Click on Save and continue we’ll give a scope name the admin content display, name the admin content description. Now, in case if you’re not getting the option to add a scope, what you can do is that you can click on Cancel. Let’s add a scope again. Let’s enter the scope name and the rest of the details. And now you can see the Add button.
The add scope button. Make sure it’s admins only and the state is enabled. Let’s add the scope right, so that’s done when it comes to the server application. Now let’s go ahead and add a client application. So a new registration. We can give a name again accounts in this organization directory only. Let’s enter the redirect uri. Click on rester. Now let’s go on to the API permissions. Let’s add a permission. Now I’m going to choose my APIs, choose the EKS Server, select the server scope and add the permissions. Let’s again wait for 10 seconds. Once this is done, let’s go ahead and grant the admin consent. Click on yes. So this is also done. Now let’s go over onto Authentication. Let’s make sure that we choose the default client type as yes for it being as a public client.
Let’s click on Save. Right, so now we have our server and our client application in place. It’s now time to go ahead and create our Azure Kubernetes Cluster. Now, while Cloud Shell is getting set up for the client application, let’s go on to the overview and take the client ID. So we’ll go to our Notepad and this is the Client Application ID. And now we’re going to enter all of this in a command to create our cluster. Now that as your Cloud Shell is in place, I’ll go ahead and issue the first command, and that is to go ahead and create a new resource group. Once it’s in place, let me just clear the screen. Now let me issue the command to create our cluster. So over here, I’m giving the resource group name. I’m giving the name of the cluster. I’m getting the SSH keys.
Now here I’m adding the Server Application ID, the server application secret, the client ID, and the tenant ID. So let me go ahead and execute this command. So now let’s come back once the cluster is in place. Now, once the cluster creation is complete, let me go ahead and just clear the screen.So here I’m going to go ahead and set the context as the admin for the cluster. Now, the next step is to ensure that we create an RBAC binding for the Kubernetes cluster. So in order for a user to authenticate to the cluster using Azure ad, there has to be an RBAC role which is in place. So over here, I am showing you a sample YAML file that you can use. So the main thing over here is the cluster role.
So for the cluster role, I’m going to be giving the authorization to a user in my Azure ad account. So I already have a user in my Azure ad account known as Dave. So we’re going to give this user the authorization of the cluster role for the Kubernetes Cluster. Now let’s go ahead and apply this particular YAML file to our cluster. So let me go ahead and upload that authentication file so I see the contents. I have the Auth deploy that YAML file. Now let me go ahead and apply the configuration. So that’s done. Now let me go ahead and set the context. As a nonadmin user, I’ll just overwrite it. So that’s done.
Now, if I issue the command to get the nodes, it’s not going to ask me to sign in. So let me go and sign in using this code. Once I enter the code, let me hit on next. So I’ll choose my user. That’s Dave. So it will say it is sign in. I’ve already entered the password before. That’s why it’s automatically remembered my password. If not, it’ll ask you for the password. So let’s go ahead and close the screen. And if you come back, you can now see that you’ve got the nodes in the Kubernetes Cluster. So this is how you can actually integrate Azeo ad with Azure Kubernetes.